The following sections describe the steps you must perform
to create a certificate chain. Before you create the chain, you
must have the following certificates:
With the Certificate Tool, you can generate an X509 certificate
for an intermediate CA or RA (Registration Authority). Perform the
following steps to generate an X509 certificate.
Create
a certificate signing request. (Select item 3 in the Certificate
Tool Main Menu.)
Sign the certificate signing request with the root
CA certificate. (Select item 6 in the Certificate Tool Main Menu.)
To create an intermediate CA, you must encrypt the private
key when you create the certificate signing request (with PEM passphrase).
Creating a Client/Server
Certificate Signed with an Intermediate CA Certificate
After you create an intermediate CA certificate (described
in the previous section), create a client/server certificate as
follows:
Create a certificate signing
request. (Select menu item 3 in the Certificate Tool Main Menu.)
Sign the certificate signing request with the intermediate
CA certificate. (Select menu item 6 in the Certificate Tool Main
Menu.)
Encrypting the private key
is not required for creating a client/server certificate. However,
if the key is encrypted, you can also use the certificate as an
intermedicate CA certificate with which another certificate will
be signed.
Creating a Certificate
Chain File
Some OpenSSL APIs require a certificate chain file. This file
contains certificates that form the certificate chain (from the
client/server certificate to the root CA certificate).
To create a certificate chain file, append the certificates
of intermediate CA(s) and the root CA to the client/server certificate.
The order in the file can be expressed as follows: